BSidesROC 2025 - Oura Ring Data - Sarah Hayes

to introduce Sarah Hayes she's a dedicated digital forensics professional with a deep passion for iot forensics as a digital forensic researcher at hexia she specializes in analyzing artifacts from iot devices exploring digital forensic data sources developing and teaching comprehensive curricula and exams for both in-person and virtual iot training programs she has completed groundbreaking research on devices such as the is it AA Ora Ora and Facebook portal her research has been presented at multiple conferences including Sans deer Sumit and iasis her experience contributes to advancing forensic education and the understanding of iot Technologies in the digital forensics field so welcome Sarah and let me give you our thank you gift for speaking thank you very much and I'll

turn it over to you thank you that just made me sound really fancy um I'm Sarah I'm a forensic researcher at hex Soria um previously I worked as a digital forensic examiner um it security have a compliance officer um I have a bachelor's degree in computer forensics schedule investigations through Champlain and I'm a member of the htci New York Metro chapter New York today's agenda we're going to talk about what is oring where is the data located on an Android device in the cloud and in a Google takeout oring was developed in 2013 um it was not released until 2015 by py ET all um so um it's a Bluetooth wearable tracker that we can wear on our um

finger I actually have two today that I'm wearing I have a gen 3 and a Gen 4 we're going to talk about the Generation 3 has a titanium exterior with an epoxy resin interior um measurements are more static and fixed um they use a PPG sensor read resting heart rate heart rate variability um perspiration um they also have an accelerometer um to detect motion a pler oh she saw the slide and thought this thing was a plunger this is actually the charger it does not plunge anything I promise um here we have on the aura Generation 3 uh we have programming pads so tear Downs of these devices are very very difficult because of the titanium

and the epoxy resin there have been a couple that have tried to tear this down however they were not able to be remained intact so being able to look at everything inside of it is very difficult um and Aura does not like to put out what the data what type of sensors and everything that's available inside of it is proprietary information um so here we have on your left side we have the green and red LED sensors um on the left I was able to use a microscope to be able to take a look at see some of the programming um so we have presumed Pro programming logic that's in there Generation 4 it no longer looks

like a plunger for the charger um so it's Titanium on the inside and the outside with just cutouts for the actual sensors um they moved over to using with Generation 4 a smart sensing with 80 something different um sensors and algorithm that they use now to be able to dynamically select what type of path it wants to use on the ring itself um to be able to create the heart rate the motion everything like that um again we have the green and um red LEDs and then in here I show a close-up version of the LEDs um we have an accelerometer and you don't see in this picture but there's actually a digital um temperature sensor

that is very pronounced on that generation for and anyone can walk up when you were done and take a look at them if you'd like to um the oring application so what I did was I used a rooted Google pixel 6A for the Generation 3 and the generation 4 um we what I did was I was able to unlock the bootloader um I have a QR code or a link if you would like to understand how to do that on the Google pixel 6A pix already has a great walkthrough on how to do that I'll give everyone in a moment they want to take a picture okay and then we have to root it so I rooted this device using Magis um

again we have a great walkr on the website hexor dia.com by doing that I was able to grab a full file system um of the Android Google pixel so that I can take a look and see where all the data is stored here's the application itself we have the generation um we have firmware we have the ring the size um the bootloader information we have serial number and we have the MAC address so during investigations if you have the device itself you know you can confirm what these are but I'll show you where in the data you're going to find them anyway so Aura application is pretty interesting there's a lot of data that's available this Readiness score that you

see with the 87 Readiness score is based on your overall health it's not based on anything specifically it's just how doing in general I have an 87 because I cannot wear these to sleep um I have tried and then they get ripped off in the middle of the night I'm like okay there's it done um the walking um we have walking cycling um I'll tell you something interesting about that cycling a little bit um and then we have um our sleep score so sleep score 92 overall because I like to tear these things off during the day we only get a read score of 87 so my walking heart rate is 117 they're just walking that is because I

decided to take my beagle on his very first walk around humans and water that was a very large mistake because either wanted to take me swimming or wanted to talk to everybody that was walking by us it was very stressful um connected applications for the Android device we have straa and we have Health Connect that the user can connect with and then data is bidirectionally shared so Health Connect shares all of these different um measurements back and forth between Health Connect and Aura there's a lot um it's one of Google's Now new primary health tracker device um applications only because they're getting rid of the Google fed um we also have straa not as much

information is shared with straa but there is data that's available so these are the two that you're primarily going to see on any type of newer extraction for the aura ring application we're going to see some historical data that's available with Google Fit um on some of the older databases that are available and we're going to temporarily see some Google Fit Health Connect where you can find some of the aura application information that's going to be until about 2 2026 and I think that's when Google Fit is completely getting rid of the application and everything so after that time frame you still make may see some historical but going forward you should not see anything with Google

fed all right so on the Android device so what do we do when we start investigations we start immediately trying to get as much data as we can as quickly as we can so I ran the image once I did the extraction through AAP because I was able to get information faster than running it through autopsy to begin with here we have our package name com. or ring. Ora we have the time that the application was last opened and then we have the account information we also have first download yeah it's going to be hard to see sorry about that it's probably going to be the same okay I know it's hard because it's a

screenshot so all right so this is runtime permissions this gives us permissions um what I gave permission for the oring to do with the device did I give it permission for Bluetooth did I give it permission for Wi-Fi is there a camera available on the oring the answer is no but did I give that the answer is going to be false on this runtime permissions data locations these are the primary three locations you're going to see Ora ring data so at com. or ring. Ora when Ora just updated their application um I believe it October of 2024 they changed over where the data is completely stored so now we have so much more data that's available at comp.

ring. Ora which was never there for before so if you have historical data a lot of it's not going to be in the com. or ring. or it's going to be in the other databases that we talk about so here we have the bootloader we have the firmware we have I really like how they came out with Oreo um I know again you can't see it but they came out with um the firmware for the aura ring as Oreo and it's actually interesting because Android has different flavors and now AA ring is copying that over so I was like oh look it's Oreo I know that one all right W these screenshots are terrible I'm

sorry about this um so we're going to have the manifest.json um which is more historical that's going to give you the firmware the package information um the bootloader and then we have the new oh good I put an EAC times in there so we can see it a little bit better okay so now this is going to be where all of the data is stored for aing it's going to be at files at app. log so we're going to have the MAC address we're going to have the firmware version we're going to have the serial number again we're going to have the glossy black size 9 we have the API version we have the hardware version

and then we have the setup date so Ora ring runs in Unix milliseconds in order to look at their time stamps we can see some okay good yes okay so this is where we have our event that we can see we can see workout information we can see start and stop times and then so I had the funny little story about the cycling um so when I was driving to the location to do data generation because I try not to do that at home because I don't want things showing up on the devices where I live and it detected I was cycling riding a bike while I was in my car not that slow you've been in the car

with me that does not happen um so we have cycling that comes on um and I pressed confirmed because I wanted to see what the data looked like even though that's not what I was doing um so it just shows that it was there but it actually tells me that I confirmed that this was the actual workout that I told it that it detected automatically I just hadit the yes I just hit the button user interaction I hit confirm so I'm telling the application that I did that so then we have so then we have um I don't think you can see it there okay we have walking I don't know if you guys can see that like the very top box

so that is a manual entry so I'm able to manually tell the application that I did an activity you confirmed and then automatically detected um one of the caveats to walking a beagle is that your hand tends to stay firm so the oring didn't do a whole lot of detection cuz that hand was not moving that had the aing on it but we can tell somebody to insert Al or it's real yeah that's true that's the point yeah so on the application itself you can see where we have we can manually enter it so we can select that option and then we can select whatever activity that comes up in their list and I think there's 75

different type of activities um that we can select and then it'll ask you what the start time was how long it was and what your intensity was um if oring detected a heart rate around this time it'll sync that up as well to give you that additional heart rate data all right so here we have the native app. Json um we have here again we're going to confirm from the application version of oring the installation uuid again you can't see these screenshots it's terrible sorry about that um yeah this yes it record so this one detects just information this specific crash litics um only detects this specific information and then there's additional applications I don't know if you guys

can see them like here yes correct it's just if the application crashed and it'll it'll dump a bunch of information into these three and if you go back out you'll see the um up here at the top you'll see this ID number um so any crash events will automatically pile under that number that's associated with the device the application um we have the aura preferences XML um here we set the user can set their preferences do they want notifications do they want Circle um we do we want to tell me when I've been inactive um circle is actually pretty interesting because you can share data with another user um I have yet to find where that information is stored on the

device so that is a work in progress um but I have because I have um two different phones that I'm working with so I should be able to see it at some point I'm just trying to still figure out where that data is stor but if it's enabled um you will see a text message that comes through because the person has to confirm that they want to be part of circles so you may see messages that confirms another user is added to the circles you do see that information in the messages Health core DB so this is where information historically was stored this is where you normally found everything however there's less and less data

available in this application at present I feel like when Google switches over and converts we'll have a lot more data in here but I think they're still trying to migrate a lot of that information over um it does give us our last sync time um when the ring actually syncs to the device a lot of times this the ring won't automatically sync to the application um it's getting a trigger by connecting the ring to the Bas um swiping down on the application to tell it hey I want you to s um which I had to do a lot while I was walking the dog because it didn't want to say hey you're doing something um we have health DB um and

then we have additionally because this is where it's saved we have biking information um we see how we have I don't know if you guys can read this we have an update time that's when the ring synced to the device but we'll get that start and stop time of the activity over here and then it'll tell you actually what the user was doing by biking then in the application itself we can confirm any activity that they were doing if the data was stored there so here I have that I was walking this is the path I took um I'll caveat that with the oring does not have location data or way to do GPS location um it is only if

you have the dissociated device with it it does not even sync the GPS information if you have them separated so if you're wearing your for yes you your the this connected phone correct correct yes it'll just say the number of steps the distance it'll give you distance um it'll give you like your heart rate it'll give you how many calories they think you burned um things like that but again we're just finding security perspective From perspective agreed and I think I've always said that too I I'm like I think I was telling you earlier I'm like I really want GP pass to be on here at some point because I think this would be amazing for fors for a forensic

I look at everything from a forensic perspective not from a personal health use because when I create these um I create different personas I don't ever use my own health information my name nothing I have ESC my IP address as much as I can to be able to do things like this let's see all right so then we have data type um so data type 12 that you're going to see in the apps. healthcare databases Healthcare healthcore DB um data type 12 which is what this box is indicating will tell you that the user was sleeping it'll give you a start time an end time and the sync time which is great information um but identifying

what that user was doing at the time is um The Challenge obviously in forensics because of a lot of the the type coding that we get Google Fit um we do have some is that the only 12 on this database on this dat on this database yes I'll get into the other ones in a minute um Google Fit um we do have some information that's available here again we have activity in the Google Fit database um so we have 72 which will indicate sleep in this database same they're they're never going to be the same they're they're just not they just don't want to play nice together um activity type seven is um walking and and activity type one is

cycling or biking as we saw the null is just your heart it's just you pick them picking up your heart rate that's all that one is um and usually when you find and you look through the database you can usually find the start stop time to be exactly the same for all like for like three different activities so it'll say yeah go ahead okay thank you um so they'll have the all at the same time and it'll have the same sync time as well um historically this is where we're going to find information um about the fitness database for Google Fit again we're still going to see the seven we're going to see the um 72 that indicate

that information and again this is going away this is not um 45 I've not been able to figure out what it is um only because it has a hash belly associated with it so I have not dug into it because this is an older database that is not available on the current application um Cloud if you have access to the user's Cloud we have a lot of information that's available here um sleep period daily sleep daily Readiness activity notes and tags daytime heart rate um ideal bedtime location and O2 I really like the location not sure you can see it good great but we have uh Latin long we have time stamps that are associated with them and then you can

actually plot the coordinates um so we can get some great information if we have access to the users uh Cloud database um sleep again so sleep is a really interesting one because in the database itself we have the start time last and the end time first and that's because the end time is going to be the date that the user woke up the start time is the user fell asleep so at the end where you see day that's going to be the time the day that they woke up not the time that they went to sleep um Google takeout does have oring information available um we have step counts we have distance um if we coordinate that back

with the app. log um we can verify and validate that information that's showed up in the Google takeout future work I'm going to identify every single activity um type that is listed and the options um but that's a huge undertaking and I'm working on it um API and tokens to get the data from the cloud itself um iOS analysis I've already done the entire data generation and I'm just working on analyzing the data from the iOS device and then creating parsers for AAP and IAP questions comments concerns if you would like slides you're welcome to uh link up with that uh HTT website and get it go ahead does the oring oh really okay um does the aura ring have any way to

verify the identity of the person wearing it for example through blood vessel pattern analysis no okay so you could just give the ring to someone else and they could generate data for you okay and I've done that yeah um and it just shows up as it's mine yeah it'll change my Readiness score so there's your Alibi right there agre but you can change your Readiness information so it'll like you have you wear the ring for a while it'll automatically start detecting your overall health and like give you that number that I showed you at the beginning um so if somebody else wears it that readiness is going to change okay cool similarly I'm wor it similarly is

that Readiness in between the three and the four is the temperature that really like helps fine tune that because different body temperatures not just the temperature but the motion because the sensors have improved a great deal with Generation 4 compared to generation three so that is a huge huge difference because like if I just move it's going to pick up something where Generation 3 we have like three bubbles on it that kind of because it's an epoxy resin it doesn't automatically connect right to your skin where the other sensors do if that makes sense it does yeah go um I was kind of surprised there's no uh like you weren't able to get like great internal photos of it um did they

have I mean you said that it was hard to get in there with the resin um well do they have uh like FCC uh documents that they submitted where you have internals really because it's not oh okay that'll do it they not available okay cool actually get pictures of the internal they do have a couple where you can there's like a YouTube that they have available you can take a look at some of them but they clearly show only a certain angle on purpose that you don't see everything that's in there generation i f it and one other company did X-rays of it so you can see some of the components but because a lot of it

is proprietary you can't identify what they are see the layout interesting you can see the layout you can kind of guess what they are but that's about it you great question yeah who wants to go next

okay what about uh intercept what about intercepting the data so what about intercepting the data if someone's in your circle then you somehow have access to their information does that mean you could use your rooted pixel in order to to pull some more go go to the store to pull information down or is there other things like how how good is the encryption here that's a great question yep sorry that's a great question um because I have not found where the data is stored from circles yet I'm on I'm not sure but even on the application there's not a lot that shares you can see that that user connected with that person so as far as security goes I have

not I searched the entire database for the other users like name I searched the entire full file system for it I was not able to find anything related to other user and the serial right and there was nothing there are are you able to load other firmware on the oral ring have you looked into that you were not able to okay no great question go ahead with the uh application itself is there any like anti forensics built into it any obic or is most of the research to this point primarily around the database um there's the only way anything for anti forensics is the um passcode to get into your phone otherwise if you g the passcode in

your phone I can look at your aing data there's nothing that says that I can't get into it and look at all of your information I can look up everything you're synced I can look up your GPS data no it's not in a regular backup you need a full file system it does not show if you just do like a like just a quick backup of the device okay great question next back there um oh sorry I mine's super quick um like with your credit card information that is stored on there that is that anywhere in the no so when I'm G to caveat that is I did not enter my credit card information on the

application I did it in the cloud okay and there's there was nothing even if I go to the cloud to try to get that information it doesn't show me my credit card information it doesn't even store it there okay cool thank you thank you yeah who was it that was going just the question what about dat integ are you able to manipulate those dat to make it yes fabricate yes when we have the DB the health core DB yes we are able to and then get them um we are able I'm able to manipulate that database and then I can save that database with different with different data if I wanted to yeah but your has value

wouldn't mat correct but you can manipulate it but it's not you would be able to detect that so yeah we have a question where being or utilized in functions that weren't was there any data that was being utilized or gathered in functions that weren't objectively clear to their purpose in the app um yeah I really just the activity of the Sleep um you have to try to coordinate everything to try to figure out what that is um some of the databases like I showed you biking and cycling um some of the other databases don't show that and they don't correlate with where that data came from so you have to kind of piece it together okay

but other than that right and lining up like right lining up the databases to see what matches the time stamps that match and based what I was doing so okay any other questions just you want to start running these thanks for uh sharing the research it it was amazing to see all that um just want to know after having done all this what would you do differently if you could do that

again because I still have ongoing research with it what I would do differently is i' would probably try to wear the device a lot more to see what activity is different than what I am personally doing like we saw cycling but I want to see what other data is incorrect because I think that's a big thing for in presic investigators too is to understand what is wrong and what is not doing well so right or it's mislabeling I want that's the type of thing that I probably would do more and I still oring always changes I went from gen 3 to Gen 4 who knows when the Gen 5 is going to come out and then I'll

probably update that as well yeah and then I us um will be different too so any other questions we're out of time all right sorry got to give a minute or two for our next presenter appreciate

it I have so much stuff